Control Access for CIM-Based Hardware Monitoring Tools

The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set of standard APIs. To ensure that the CIM interface is secure, provide only the minimum access necessary to these remote applications. If you provision a remote application with a root or Administrator account, and if the application is compromised, the virtual environment can be compromised.

CIM is an open standard that defines a framework for agent-less, standards-based monitoring of hardware resources for ESXi hosts. This framework consists of a CIM object manager, often called a CIM broker, and a set of CIM providers.

CIM providers support management access to device drivers and underlying hardware. Hardware vendors, including server manufacturers and hardware device vendors, can write providers that monitor and manage their devices. VMware writes providers that monitor server hardware, ESXi storage infrastructure, and virtualization-specific resources. These providers run inside the ESXi host and are lightweight and focused on specific management tasks. The CIM broker takes information from all CIM providers and presents it to the outside world using standard APIs. The most common API is WS-MAN.

Do not provide root credentials to remote applications that access the CIM interface. Instead, create a less-privileged vSphere user account for these applications and use the VIM API ticket function to issue a sessionId (called a "ticket") to this less-privileged user account to authenticate to CIM. If the account has been granted permission to obtain CIM tickets, the VIM API can then supply the ticket to CIM. These tickets are then supplied as both the user ID and password to any CIM-XML API call. See the AcquireCimServicesTicket() method for more information.

The CIM service starts when you install a third-party CIM VIB, for example, when you run the esxcli software vib install -n VIBname command.

If you must enable the CIM service manually, run the following command:

esxcli system wbem set -e true

If necessary, you can disable wsman (WSManagement Service) so that only the CIM service is running:

esxcli system wbem set -W false

To confirm that wsman is disabled, run the following command:

esxcli system wbem get
…
WSManagement PID: 0
WSManagement Service: false

For more information about ESXCLI commands, see ESXCLI Documentation. For more information about enabling the CIM service, see the VMware knowledge base article at https://kb.vmware.com/kb/1025757.

Procedure

Create a non-root vSphere user account for CIM applications.
See the topic on adding vCenter Single Sign-On users in vSphere Authentication. The required vSphere privilege for the user account is Host.CIM.Interaction.
Use the vSphere API SDK of your choice to authenticate the user account to vCenter Server. Then call AcquireCimServicesTicket() to return a ticket to authenticate with ESXi as an administrator-level account using CIM-XML port 5989 or WS-Man port 433 APIs.
See vSphere Web Services API Reference for more information.
Renew the ticket every two minutes as needed.